---
sidebar_position: 2
sidebar_label: What's new in version 1.11?
description: |-
  Learn all about the new features in OpenTofu 1.11.
---

# What's new in OpenTofu 1.11?

## New features

### Ephemeral Resources / Write-Only Attributes

**Ephemeral values** allow OpenTofu to work with data and resources that exist only in memory during a single OpenTofu phase, guaranteeing that those values will not be persisted in state snapshots or plan files.

You can now declare input variables and output values as being ephemeral, and you can use provider plugins that have been updated to include ephemeral resource types (e.g. for fetching a secret) or managed resource types with write-only attributes (e.g. for setting a password without saving it in OpenTofu state).

For more information, refer to [Ephemerality](https://opentofu.org/docs/v1.11/language/ephemerality/).

### Enabled meta-argument

The new **`enabled` meta-argument** offers an alternative to the existing `count` and `for_each` meta-arguments for situations where a particular resource instance or module instance has either zero or one instances.

The initial form of this argument is nested inside a `lifecycle` block, rather than directly inside a resource or module declaration, to avoid conflicting with existing input variables or resource type arguments named `enabled`.

For more information, refer to [the `enabled` meta-argument](https://opentofu.org/docs/v1.11/language/meta-arguments/enabled/).

## Improvements to existing features

### Tag support added to S3 backend

The S3 backend now supports **object tagging** your backend, allowing you to add custom tags to your state files for better organization and cost tracking.

## Deprecations

- **Azure Backend (`azurerm`)**:

  - The `endpoint` and `ARM_ENDPOINT` configuration options are no longer supported
  - The `msi_endpoint` and `ARM_MSI_ENDPOINT` options are no longer supported
  - The `environment` and `metadata_host` arguments are now mutually exclusive

- **issensitive() Function**: Now correctly returns unknown results when evaluating unknown values. Code that previously relied on the incorrect behavior may need updates.

- **Testing with Mocks**: Mock values generated during testing now strictly adhere to provider schemas. Test configurations with invalid mock values will need to be corrected.

- **S3 Module Installation**: When installing module packages from Amazon S3 buckets using S3 source addresses OpenTofu will use the same credentials as the AWS CLI and SDK.

- **TLS and SSH Security**:
  - SHA-1 signatures are no longer accepted for TLS or SSH connections
  - SSH certificates must comply with the `draft-miller-ssh-cert-03` specification


## Full Changelog

You can find the full changelog at https://github.com/opentofu/opentofu/blob/v1.11/CHANGELOG.md
